table of contents
POLKIT-DEFAULT-PRI(5) | POLKIT-DEFAULT-PRI(5) |
NAME¶
polkit-default-privs - configuration of polkit security profiles
DESCRIPTION¶
The files in /usr/etc/polkit-default-privs/profiles define different security profiles that influence the authorization required for various polkit actions used across applications. These files are line based and whitespace delimited.
Lines starting with # are comments. Comments and empty lines will be ignored. All other lines consist of two whitespace delimited columns ACTION and AUTHORIZATION. The ACTION column specifies the polkit action name to configure the default polkit authorization settings for.
The AUTHORIZATION column consists of colon separated fields of the form ANY-USER:INACTIVE-CONSOLE:ACTIVE-CONSOLE. Each of the fields can have one of the values auth_admin, auth_admin_keep, auth_self, auth_self_keep, no and yes. For the meaning of these values see polkit(8). The field ACTIVE-CONSOLE determines the authorization required for active users on a local console. The field INACTIVE-CONSOLE determines the authorization required for inactive users on a local console (e.g. a locked graphical session). The field ANY-USER determines the authorization required for all others users (e.g. remotely logged in via SSH). If all three fields carry the same value then the column can be shortened to a single field without a separating colon. This setting will then apply to all three field types.
Changes in these files don’t take effect immediately. The settings need to be converted into polkit java script code. This can be achieved by calling set_polkit_default_privs(8).
PROFILE TYPES¶
There exist three profile types for setting polkit default privileges. The selection of the profile is performed via the setting POLKIT_DEFAULT_PRIVS in /etc/sysconfig/security. The following profile types exist:
EXAMPLES¶
org.spice-space.lowlevelusbaccess auth_admin:auth_self:yes
This line configures the org.spice-space.lowlevelusbaccess polkit action to require admin authentication for remote users, the own account password for inactive users and no authentication for active users.
net.connman.modify auth_admin
This line configures the net.connman.modify polkit action to require admin authentication for all three user context types: remote users, inactive users and active users.
FILES¶
/usr/etc/polkit-default-privs/local.template is a template for /etc/polkit-default-privs.local
/usr/etc/polkit-default-privs/profiles/restrictive
/usr/etc/polkit-default-privs/profiles/standard
/usr/etc/polkit-default-privs/profiles/easy
SEE ALSO¶
AUTHORS¶
Written by Ludwig Nussel <ludwig.nussel@suse.de>
Man page written by Matthias Gerstner <matthias.gerstner@suse.de>
REPORTING BUGS¶
Report bugs to https://bugzilla.suse.com/
07/20/2021 |